dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5eef1816b5037715c6da38464a8a3f.exe
Size

1.1MB
MD5

ff5eef1816b5037715c6da38464a8a3f
SHA1

ba123a98299528f73ad8cbfa234d3fd9a78c47f5
SHA256

66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104
SHA512

daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c
SSDEEP

12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1680	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1680	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1680	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1680	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1680	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1680	schtasks.exe	88

UAC bypass 3 TTPs 51 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6096	powershell.exe
5940	powershell.exe
728	powershell.exe
1036	powershell.exe
3084	powershell.exe
3528	powershell.exe
6128	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ff5eef1816b5037715c6da38464a8a3f.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	ff5eef1816b5037715c6da38464a8a3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 16 IoCs

pid	Process
5792	unsecapp.exe
1452	unsecapp.exe
4116	unsecapp.exe
1284	unsecapp.exe
3076	unsecapp.exe
396	unsecapp.exe
4664	unsecapp.exe
4840	unsecapp.exe
2716	unsecapp.exe
4568	unsecapp.exe
112	unsecapp.exe
1964	unsecapp.exe
2436	unsecapp.exe
2024	unsecapp.exe
4768	unsecapp.exe
5112	unsecapp.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\dwmredir\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\dwmredir\\dwm.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\ssh\\unsecapp.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\ssh\\unsecapp.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff5eef1816b5037715c6da38464a8a3f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\clb\eddb19405b7ce1	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\enterpriseresourcemanager\RCX5BD1.tmp	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\clb\RCX5DD5.tmp	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Windows\System32\dwmredir\dwm.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\dwmredir\dwm.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Windows\System32\dwmredir\6cb0b6c459d5d3	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Windows\System32\clb\backgroundTaskHost.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\dwmredir\RCX52B5.tmp	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Windows\System32\clb\backgroundTaskHost.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Windows\System32\enterpriseresourcemanager\9e8d7a4ca61bd9	ff5eef1816b5037715c6da38464a8a3f.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\dwm.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX59BD.tmp	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\dwm.exe	ff5eef1816b5037715c6da38464a8a3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	ff5eef1816b5037715c6da38464a8a3f.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4664	schtasks.exe
3468	schtasks.exe
4036	schtasks.exe
4576	schtasks.exe
4672	schtasks.exe
4688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
2220	ff5eef1816b5037715c6da38464a8a3f.exe
728	powershell.exe
728	powershell.exe
3084	powershell.exe
3084	powershell.exe
1036	powershell.exe
1036	powershell.exe
6128	powershell.exe
6128	powershell.exe
5940	powershell.exe
5940	powershell.exe
6096	powershell.exe
6096	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
5940	powershell.exe
3084	powershell.exe
728	powershell.exe
1036	powershell.exe
6128	powershell.exe
6096	powershell.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe
5792	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	ff5eef1816b5037715c6da38464a8a3f.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	6096	powershell.exe
Token: SeDebugPrivilege	5792	unsecapp.exe
Token: SeDebugPrivilege	1452	unsecapp.exe
Token: SeDebugPrivilege	4116	unsecapp.exe
Token: SeDebugPrivilege	1284	unsecapp.exe
Token: SeDebugPrivilege	3076	unsecapp.exe
Token: SeDebugPrivilege	396	unsecapp.exe
Token: SeDebugPrivilege	4664	unsecapp.exe
Token: SeDebugPrivilege	4840	unsecapp.exe
Token: SeDebugPrivilege	2716	unsecapp.exe
Token: SeDebugPrivilege	4568	unsecapp.exe
Token: SeDebugPrivilege	112	unsecapp.exe
Token: SeDebugPrivilege	1964	unsecapp.exe
Token: SeDebugPrivilege	2436	unsecapp.exe
Token: SeDebugPrivilege	2024	unsecapp.exe
Token: SeDebugPrivilege	4768	unsecapp.exe
Token: SeDebugPrivilege	5112	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 5940	2220	ff5eef1816b5037715c6da38464a8a3f.exe	99
PID 2220 wrote to memory of 5940	2220	ff5eef1816b5037715c6da38464a8a3f.exe	99
PID 2220 wrote to memory of 728	2220	ff5eef1816b5037715c6da38464a8a3f.exe	100
PID 2220 wrote to memory of 728	2220	ff5eef1816b5037715c6da38464a8a3f.exe	100
PID 2220 wrote to memory of 1036	2220	ff5eef1816b5037715c6da38464a8a3f.exe	101
PID 2220 wrote to memory of 1036	2220	ff5eef1816b5037715c6da38464a8a3f.exe	101
PID 2220 wrote to memory of 3084	2220	ff5eef1816b5037715c6da38464a8a3f.exe	102
PID 2220 wrote to memory of 3084	2220	ff5eef1816b5037715c6da38464a8a3f.exe	102
PID 2220 wrote to memory of 3528	2220	ff5eef1816b5037715c6da38464a8a3f.exe	103
PID 2220 wrote to memory of 3528	2220	ff5eef1816b5037715c6da38464a8a3f.exe	103
PID 2220 wrote to memory of 6128	2220	ff5eef1816b5037715c6da38464a8a3f.exe	104
PID 2220 wrote to memory of 6128	2220	ff5eef1816b5037715c6da38464a8a3f.exe	104
PID 2220 wrote to memory of 6096	2220	ff5eef1816b5037715c6da38464a8a3f.exe	105
PID 2220 wrote to memory of 6096	2220	ff5eef1816b5037715c6da38464a8a3f.exe	105
PID 2220 wrote to memory of 1348	2220	ff5eef1816b5037715c6da38464a8a3f.exe	113
PID 2220 wrote to memory of 1348	2220	ff5eef1816b5037715c6da38464a8a3f.exe	113
PID 1348 wrote to memory of 1008	1348	cmd.exe	115
PID 1348 wrote to memory of 1008	1348	cmd.exe	115
PID 1348 wrote to memory of 5792	1348	cmd.exe	117
PID 1348 wrote to memory of 5792	1348	cmd.exe	117
PID 5792 wrote to memory of 4076	5792	unsecapp.exe	119
PID 5792 wrote to memory of 4076	5792	unsecapp.exe	119
PID 5792 wrote to memory of 5756	5792	unsecapp.exe	120
PID 5792 wrote to memory of 5756	5792	unsecapp.exe	120
PID 4076 wrote to memory of 1452	4076	WScript.exe	122
PID 4076 wrote to memory of 1452	4076	WScript.exe	122
PID 1452 wrote to memory of 3468	1452	unsecapp.exe	123
PID 1452 wrote to memory of 3468	1452	unsecapp.exe	123
PID 1452 wrote to memory of 2428	1452	unsecapp.exe	124
PID 1452 wrote to memory of 2428	1452	unsecapp.exe	124
PID 3468 wrote to memory of 4116	3468	WScript.exe	126
PID 3468 wrote to memory of 4116	3468	WScript.exe	126
PID 4116 wrote to memory of 2112	4116	unsecapp.exe	128
PID 4116 wrote to memory of 2112	4116	unsecapp.exe	128
PID 4116 wrote to memory of 4936	4116	unsecapp.exe	129
PID 4116 wrote to memory of 4936	4116	unsecapp.exe	129
PID 2112 wrote to memory of 1284	2112	WScript.exe	137
PID 2112 wrote to memory of 1284	2112	WScript.exe	137
PID 1284 wrote to memory of 4448	1284	unsecapp.exe	138
PID 1284 wrote to memory of 4448	1284	unsecapp.exe	138
PID 1284 wrote to memory of 3652	1284	unsecapp.exe	139
PID 1284 wrote to memory of 3652	1284	unsecapp.exe	139
PID 4448 wrote to memory of 3076	4448	WScript.exe	140
PID 4448 wrote to memory of 3076	4448	WScript.exe	140
PID 3076 wrote to memory of 3684	3076	unsecapp.exe	141
PID 3076 wrote to memory of 3684	3076	unsecapp.exe	141
PID 3076 wrote to memory of 5716	3076	unsecapp.exe	142
PID 3076 wrote to memory of 5716	3076	unsecapp.exe	142
PID 3684 wrote to memory of 396	3684	WScript.exe	143
PID 3684 wrote to memory of 396	3684	WScript.exe	143
PID 396 wrote to memory of 5536	396	unsecapp.exe	144
PID 396 wrote to memory of 5536	396	unsecapp.exe	144
PID 396 wrote to memory of 4192	396	unsecapp.exe	145
PID 396 wrote to memory of 4192	396	unsecapp.exe	145
PID 5536 wrote to memory of 4664	5536	WScript.exe	146
PID 5536 wrote to memory of 4664	5536	WScript.exe	146
PID 4664 wrote to memory of 4076	4664	unsecapp.exe	147
PID 4664 wrote to memory of 4076	4664	unsecapp.exe	147
PID 4664 wrote to memory of 1064	4664	unsecapp.exe	148
PID 4664 wrote to memory of 1064	4664	unsecapp.exe	148
PID 4076 wrote to memory of 4840	4076	WScript.exe	150
PID 4076 wrote to memory of 4840	4076	WScript.exe	150
PID 4840 wrote to memory of 4120	4840	unsecapp.exe	151
PID 4840 wrote to memory of 4120	4840	unsecapp.exe	151

System policy modification 1 TTPs 51 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe
"C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dwmredir\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\clb\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uc8ws4IVzw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1008
- - C:\Users\All Users\ssh\unsecapp.exe
    "C:\Users\All Users\ssh\unsecapp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca79cd5-c86d-4239-a167-ce5d43c86842.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\397b9676-34f6-4710-b3e6-8aa3742c11c5.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\765d682c-f09e-44ad-9e6d-2607764bf11a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8064504-1ef5-437a-a621-985081a5368b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59256ace-87a9-4c8c-aec6-52995fc46301.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2617ac0f-4891-4a53-a8ec-3d367fb10bf2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5536
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6f4427b-69dc-425c-a4d2-e7e1d2b83a2a.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51e5228e-f6a2-4718-a8bb-e9b6384ccb19.vbs"
        18⤵
        
        PID:4120
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d137b0d4-a7f5-4aa1-b56a-37dc83a284fd.vbs"
        20⤵
        
        PID:2576
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5940e895-e874-4a23-9d5b-8e07697ea3cb.vbs"
        22⤵
        
        PID:864
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ea51be-f0d2-47d2-b753-8e93cff9c522.vbs"
        24⤵
        
        PID:6092
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614e0ae2-adc0-442a-8d4b-f30195023730.vbs"
        26⤵
        
        PID:528
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\696fb501-1694-4bbf-a0d0-fa4969f9ccd5.vbs"
        28⤵
        
        PID:2184
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc114b7-f727-4140-baf7-2daf01b654e1.vbs"
        30⤵
        
        PID:3052
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d454f304-4d8f-4429-8085-ed10b9250fab.vbs"
        32⤵
        
        PID:4632
        
        C:\Users\All Users\ssh\unsecapp.exe
        
        "C:\Users\All Users\ssh\unsecapp.exe"
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a46329a-401e-4fe9-a4a4-818017b7682e.vbs"
        34⤵
        
        PID:5208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2dcbfd-bc4a-4aee-9fd6-ac4dd1aed1d2.vbs"
        34⤵
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63bbdc2f-e1b6-4466-8ee9-f26d97a45c94.vbs"
        32⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a0da81-0e26-47b1-996a-e4a3f3f3e092.vbs"
        30⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541abfff-2d42-455c-b168-f4a773b90a42.vbs"
        28⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8f60f8-bb11-44a4-9f5c-7e30b30d82aa.vbs"
        26⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72cb3dcb-888b-4e3f-ab09-f97efbef015f.vbs"
        24⤵
        
        PID:4452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\758123bd-3852-4f4a-abf0-06cd4e85da09.vbs"
        22⤵
        
        PID:4156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7f0804-7d5e-4e1f-8a07-cf9fb3d49a32.vbs"
        20⤵
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\225f6c14-299f-405e-9349-3c244a6ebaed.vbs"
        18⤵
        
        PID:8
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185c1a5f-ee23-4ed2-a2e4-c71e8df40275.vbs"
        16⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c59d457-4a64-4fc6-a7fb-fb34c2f2c61d.vbs"
        14⤵
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b155350-63fa-44c9-a2b6-4249c58d6d76.vbs"
        12⤵
        
        PID:5716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd1c9ce4-8dec-4246-bfc6-bffbf3824793.vbs"
        10⤵
        
        PID:3652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72a6e0c1-76ff-4d42-bed0-4e3dc5c79f0f.vbs"
        8⤵
        
        PID:4936
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e102a4-cf6e-4f3d-81aa-7bc6fef18627.vbs"
        6⤵
        
        PID:2428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8ae3744-210e-41b8-998a-e1336f5e5306.vbs"
      4⤵
      PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\dwmredir\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\clb\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\unsecapp.exe

Filesize
1.1MB

MD5
b0ecc167930705bfa9b3ce32ac4a7f67

SHA1
2efb60c1b290c833b5c932b7ef318efbfb6a9483

SHA256
be9352f21b64df995d829fb01f1dda448dce93141a5afd24bce9e127aa8be654

SHA512
b892d95dcabfcb6453b7ffac8685d73e77ad9ad8c0824216615b0aec2b71dd845eb95f437f43149872a53cd7bd5c950ed77133c0d6675240eca8a49a0b2a1f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5c56bc9516ee1aeea75a81d98481ee92

SHA1
1713f6c42d50fb29d62fc9af9732ddba5ec1d264

SHA256
4289eb4ee8622c15b6257056e3db539193204c38f5508c2e1e776676177fea5f

SHA512
be6af08ee11cd4d95aeb0badc2464207232c9de40b18b077e5b4070b245b494147667e9245ca49e9d51b527d5cb7d550eb7bf1ec20cc679fa9ad95ab9e31da31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc1d0291bbd8e80c9703fb1f4b4d14dc

SHA1
084009b8f1e67e03c9b7333293fbc00d3617948e

SHA256
4a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a

SHA512
75672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2617ac0f-4891-4a53-a8ec-3d367fb10bf2.vbs

Filesize
710B

MD5
e345d1587bee18316db0af7fc8a25b59

SHA1
3a8b0e014e17eb2e838e278a95ee9f4c8f4ce6d9

SHA256
3fee873bec454c9eef774a5d2416bcd5ed4503e785527bf07843facae7229a23

SHA512
69aae57260fa82880ba953a1e4dc4a031fbb021a31c14458ac112b517578d3902a03867599f41d4e56e71c7b31894006aaf351ec19835923c6f24dd35ad41bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\397b9676-34f6-4710-b3e6-8aa3742c11c5.vbs

Filesize
711B

MD5
5bd3386549f7585b95730bc4267d2af0

SHA1
b1610cedf916f873a87e3ea92257c91a9c01c080

SHA256
bbf05ec5ca81de5b4650c75c43bda1fb6a21ba3417f1f8588358ce82127114f9

SHA512
c47630700dd7d05aaa229d1f0b9b0f12235ab5f033f16b7779aea3556a91fd4a9e01d911e24ee859640bd6e22b90f7cd9496a53cc372ad3a7f9be36623dfaa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\51e5228e-f6a2-4718-a8bb-e9b6384ccb19.vbs

Filesize
711B

MD5
d149631831711985b99a5d451ac388f1

SHA1
fcfe6b47df9b22fb094811ec5af407f14c7df15e

SHA256
e6652247b0ed14485ba703ed96bf750525f7dd2fa3a4511bb8f7da8d8d409288

SHA512
dd6d82ef580a5045f8c3b1a9a400388a01baf85e8ea2b24c6f1d3dc99966f2f93741db135552cde89f7d3d091da0f7737b88283852403caf812ed2e9c9de5cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\59256ace-87a9-4c8c-aec6-52995fc46301.vbs

Filesize
711B

MD5
af4982e8e4fdce4419afd14723c8d861

SHA1
abc0f9e37ddff21dbbe9079f57757be6c20dce50

SHA256
722225140c66b82641e89478823246613844a8c29e3b37d347e12a45cc70d757

SHA512
6ab9c270bad2b6e31e7d6c2c62b036a5f54aaede816b2a7c45d7ab4c0568515400a9fe597e42daca26806650f9ac3929ef7fc1eeb37a79f813880b2f2813e1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5940e895-e874-4a23-9d5b-8e07697ea3cb.vbs

Filesize
711B

MD5
a005d9fcb884243a9d6ab143a0e5367d

SHA1
da9055ec4cd0dd9e70c66abed5f821195e24ddf5

SHA256
8ace5343d2fb9548a7306ed4a5c820fe1cca47b386faefec8b4e9decc6fb5419

SHA512
cd273d628623f44ae238702647af0e09614a608f565d4b54adb37bad87af844c2de7719e01a4b47125a7a180cf82029c7f475a78860bb8b78d699ab2d2f30356

Download Submit
C:\Users\Admin\AppData\Local\Temp\614e0ae2-adc0-442a-8d4b-f30195023730.vbs

Filesize
711B

MD5
ca9a690a75d9c090c0e7ff377061204b

SHA1
a36f456110458fce2d63fc9db49cf898c379857b

SHA256
3fcae95e2cbf023f20101330614d4b8087345ed187175083e6b1607079319b6b

SHA512
e09c7943bcfaa9693c32bc335087998c1f69da78814a3c94df1aa635268fa2a1ced995a1fcd9c76ae05ea09b0f7a89ae16f87b0ed3021df32e4fe797537c3d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\696fb501-1694-4bbf-a0d0-fa4969f9ccd5.vbs

Filesize
711B

MD5
8f36f0ac07167ca3c6b7f2bd94214c43

SHA1
c013611df1ea679dcffbad7b72578c95440d63a3

SHA256
03ff9b21a06c472975a12518f63b2f0236c2ecd231c5457e026b844a3efb827d

SHA512
ea8a1732217097ba4b80c3a037a244fd52f922917ada28bdbb28c8e5987f0120994f11f637c7adb2b831a0c2a63a6b0ecf3f51e0281fd358f1f170704bff5726

Download Submit
C:\Users\Admin\AppData\Local\Temp\765d682c-f09e-44ad-9e6d-2607764bf11a.vbs

Filesize
711B

MD5
0ebd457409baf89bffc0e7139a00ad0d

SHA1
c9813fa46b47419a1ce48cfeb453fbc016c56ee6

SHA256
39a109c002e309a501d239d6257e09a87ab48d48244b6458fa74cd0d2f79817c

SHA512
d554a440ca3acc69c21b78ac250636aef8b99f6d491237e088daca5e4a36ebe58f75afd26946dfa747ab1158807f8d4becb39e45c82747264428a880940ed7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uc8ws4IVzw.bat

Filesize
199B

MD5
6f8fc4a9e22bd9a8fd8a58fb565f5b16

SHA1
c9a01447e4a46d4b8984f9c4ec4d1cd15bfdbcf5

SHA256
d72691643c13562a8e1234d735cb2d2d0d8087b096fb5cce9704a81cf96f1de0

SHA512
c2b3ac42fe639cce7938b3f3b82e9794b127e9b408e3b398404af1f360c9fda8ca0f5bb976060d6ee35ad8e74d1524400c5de3e99682ee4774b17fde608645ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncv30gdo.3gu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6f4427b-69dc-425c-a4d2-e7e1d2b83a2a.vbs

Filesize
711B

MD5
94a2c023bb19c7f93bca8557f050256b

SHA1
4c584a7441068605c38477fec6176d4b9b6a579c

SHA256
09d22b4f4242228d90832af04b6f444a78e187772547aab27b3cf8b24b25817d

SHA512
5536e927c5ca7ecf0e5cb765a4be74c6f617324bcaf289ea2a2b7a37550938d81fb9a59ec8083f752851d4ee414c4567688c4a3ae2b84348667c85b390b739d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d137b0d4-a7f5-4aa1-b56a-37dc83a284fd.vbs

Filesize
711B

MD5
938200b61cde9edc52ecd30a1189002a

SHA1
04fb92161e8583fa578b2ad4b6f945d4eb8acff7

SHA256
bc5067bb0781bde0df555d6fb13d0d0874012d2720508bac10710bc21b52bb1c

SHA512
e037ad1746f0d6946b258cd8c866b4a0e3bb2a0feb84dd38a5cbb688d59d976d587539190a6d2f156a15a07134f201815bd3a73997bf3218c85a1c744618a7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ea51be-f0d2-47d2-b753-8e93cff9c522.vbs

Filesize
710B

MD5
e7432c581fdb11ee2657d469991a1481

SHA1
b742a372076ea78dc28ad89185bd4014e6c45a68

SHA256
27722dd2dc853c9f15b96735c50ddb28d73291da186532a550ef3c58d9bb65ab

SHA512
c288a9394530e73d4533cefdd921e34fbe8f08871b3e4f5218e4b82ca849d7b1839f0e4164388523ebc1090248cf7e179dc84ad306fb257a8805deef4029b60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8064504-1ef5-437a-a621-985081a5368b.vbs

Filesize
711B

MD5
45033ca2e5d2ce25c9779b7e6394085c

SHA1
9569535651ee74ee581c81ac98cda5d37fdf4b8b

SHA256
0cea7eecce4b0d2283e9b2f4dc4bec967bf2fb316d069fcf955bb85b365081ed

SHA512
a6e4b4eefeadd276d7417071135e57573513d07ec4bb0a68bc773c725c6b8aea389ca0d61b394c5d15bc159ee59ac76a6c02d1b3d67a74cf88bbf7e0c32d8d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8ae3744-210e-41b8-998a-e1336f5e5306.vbs

Filesize
487B

MD5
664f26b46ad547e1a119bd9b851170a5

SHA1
b0e267a94ffbd477fd7aa4c8087a2ad5f1c30361

SHA256
4f7c2c037d3bb4fa218c373977be3a785468dde7d5c2d53b788f3fe5fc8f9ab3

SHA512
935786fe92b3c847b0735cc0f2e86d2e5c3392a349823d28551c4ffc7998b617e5f22945694f16feef99cf7107953335d5263a218184e9ff005df06fb1a4374a

Download Submit
C:\Users\Admin\AppData\Local\Temp\edc114b7-f727-4140-baf7-2daf01b654e1.vbs

Filesize
711B

MD5
b73570638e2c8147ce1a7d617492cb1a

SHA1
23ace6bf1406ba54b3e6fe5e5ad6d642cf0b8892

SHA256
772fcfcda8d65d3fb2907dcf098937a48b63d5e9cda9559535ddd255c24c687a

SHA512
b1b0bbaa202d813cd5a544ca57c6b40ad3ff2cbd35ca9e771397c628cb5b3e2096958a6670c50162f6f488182368f12370b7d25b074100a89ffbad9c94c42de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fca79cd5-c86d-4239-a167-ce5d43c86842.vbs

Filesize
711B

MD5
289b8778613e1519b43668e8dfb57d43

SHA1
990d79d00791c0a1cf251707560ea1befb8c22b7

SHA256
5be1bde1404ef72ebb41a149a65ad1c743fe5a7236852b8c2e40b81b32b0c641

SHA512
468115cc51b8206c99aa0c1ed397c2c55fff2f67833fb9fd2ce62a5a594fe9d25d04d0419a0f5bd33c716f1287f2f82b732d690bf0700d9e7a5c60cc45995d63

Download Submit
C:\Windows\System32\clb\RCX5DD5.tmp

Filesize
1.1MB

MD5
f2df4754fe7548bb87c1b6a011922c71

SHA1
abf203c368413b7029a4b762de65838008d0666d

SHA256
3b2b784580c719e432fe5a69a3f43696538665eba0288a5c15580d7132e5af5e

SHA512
77f96abf467a548e6cab9828f253d2cf1853baf47d8a9ce2609f3ca6757f4f165fda76c5cc2e409194549e8f3737603b637b87a54f5189a020853cd893a70d20

Download Submit
C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe

Filesize
1.1MB

MD5
ff5eef1816b5037715c6da38464a8a3f

SHA1
ba123a98299528f73ad8cbfa234d3fd9a78c47f5

SHA256
66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104

SHA512
daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c

Download Submit
memory/112-282-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/1452-182-0x0000000002C30000-0x0000000002C42000-memory.dmp

Filesize
72KB

Download
memory/1964-294-0x000000001B390000-0x000000001B3A2000-memory.dmp

Filesize
72KB

Download
memory/2220-3-0x000000001B650000-0x000000001B658000-memory.dmp

Filesize
32KB

Download
memory/2220-4-0x000000001BCC0000-0x000000001BCD2000-memory.dmp

Filesize
72KB

Download
memory/2220-13-0x000000001BE40000-0x000000001BE4A000-memory.dmp

Filesize
40KB

Download
memory/2220-11-0x000000001BE20000-0x000000001BE30000-memory.dmp

Filesize
64KB

Download
memory/2220-12-0x000000001BE30000-0x000000001BE38000-memory.dmp

Filesize
32KB

Download
memory/2220-10-0x000000001BE10000-0x000000001BE20000-memory.dmp

Filesize
64KB

Download
memory/2220-18-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/2220-14-0x000000001BE50000-0x000000001BE5C000-memory.dmp

Filesize
48KB

Download
memory/2220-0-0x00007FFFF5EC3000-0x00007FFFF5EC5000-memory.dmp

Filesize
8KB

Download
memory/2220-9-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/2220-104-0x00007FFFF5EC0000-0x00007FFFF6981000-memory.dmp

Filesize
10.8MB

Download
memory/2220-8-0x000000001BE00000-0x000000001BE08000-memory.dmp

Filesize
32KB

Download
memory/2220-6-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

Filesize
40KB

Download
memory/2220-1-0x0000000000A90000-0x0000000000BA4000-memory.dmp

Filesize
1.1MB

Download
memory/2220-7-0x000000001BDF0000-0x000000001BDFC000-memory.dmp

Filesize
48KB

Download
memory/2220-5-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

Filesize
48KB

Download
memory/2220-25-0x00007FFFF5EC0000-0x00007FFFF6981000-memory.dmp

Filesize
10.8MB

Download
memory/2220-16-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/2220-24-0x00007FFFF5EC0000-0x00007FFFF6981000-memory.dmp

Filesize
10.8MB

Download
memory/2220-15-0x000000001BE60000-0x000000001BE6A000-memory.dmp

Filesize
40KB

Download
memory/2220-21-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

Filesize
32KB

Download
memory/2220-17-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/2220-20-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

Filesize
48KB

Download
memory/2220-2-0x00007FFFF5EC0000-0x00007FFFF6981000-memory.dmp

Filesize
10.8MB

Download
memory/2436-306-0x0000000002C80000-0x0000000002C92000-memory.dmp

Filesize
72KB

Download
memory/3084-85-0x00000220E12A0000-0x00000220E12C2000-memory.dmp

Filesize
136KB

Download
memory/5112-334-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/5792-169-0x0000000000D80000-0x0000000000E94000-memory.dmp

Filesize
1.1MB

Download